b'NATIONAL CREDIT UNION ADMINISTRATION\n\n      OFFICE OF INSPECTOR GENERAL\n\n\n\n\n             YEAR 2000\n        READINESS STATUS OF\n       CREDIT UNION VENDORS\n\n\n\n\n      OIG 99-10     December 7, 1999\n\n\n\n\n          _______________________\n\n            FRANK THOMAS\n          INSPECTOR GENERAL\n\x0c                     TABLE OF CONTENTS\n\n                                          PAGE\n\nINTRODUCTION                               1\n\nBACKGROUND                                 1\n\nOBJECTIVES                                 2\n\nSCOPE AND METHODOLOGY                      2\n\n\nOBSERVATIONS                               4\n    NCUA Vendor Reviews                    4\n    FFIEC Vendor Reviews                   5\n    NCUA Approved Blanket Waivers          5\n    Credit Union Quarterly Reports         5\n\nMATTERS FOR CONSIDERATION                  6\n\n\n\n\n                                     ii\n\x0c                                       Year 2000 Vendor Review\n\n\n\n\n    Introduction         This is the sixth of the Office of Inspector General\xe2\x80\x99s (OIG) series of\n                         reports addressing the Year 2000 (Y2K) computer problem as it relates\nto the National Credit Union Administration (NCUA) and federally insured credit unions\n(FICUs). This report addresses the OIG review of federally insured credit unions\xe2\x80\x99 information\nsystem vendors and their progress and affect on credit union ability to prepare for the year 2000.\n\nBecause of the time critical nature of the Y2K problem, and in order to provide the NCUA Board\nwith timely information, we are not making formal recommendations or asking for a written\nresponse.\n\n\n\n     Background             The NCUA supervises 11,019 natural person credit unions 6,799\n                            federally chartered and 4,220 state chartered. Approximately 92\npercent of these credit unions were identified as using EDP vendor products for core processing\n(share and loan systems). In August 1997, NCUA issued a letter to all known Information\nSystem Vendors (primary ISVs) that provide service to credit unions. This letter requested the\nvendors to complete a Y2K questionnaire and also mentioned plans to have a vendor conference\nin late 1997. On March 20, 1998, the Examination Parity and Year 2000 Readiness for Financial\nInstitutions Act was enacted giving NCUA and the Office of Thrift Supervision examination\nauthority over ISVs, similar to other financial institution regulators, to assure the safety and\nsoundness of the nation\xe2\x80\x99s financial institutions.\n\nPrior to the enactment of the Examination Parity Act, ten ISVs were reviewed by NCUA and its\ncontractor on a voluntary basis. These ten ISVs served approximately 55 percent of federally\ninsured credit unions. After the enactment of the Examination Parity Act, NCUA and its\ncontractor performed an additional 36 ISV reviews. These 46 ISV reviews covered\napproximately 86 percent of federally insured credit unions. All of these reviews were of primary\nISVs covering core processing systems (primarily share and loan systems). The scope of the\nreviews was to determine the vendors\xe2\x80\x99Y2K process and status to date. The scope was NOT to\ncertify vendor Y2K compliance. The reports are reviewed by NCUA and provided to the vendor\nfor comment. Upon finalization of the report, it is distributed to NCUA regional offices, state\nsupervisory authorities and credit union vendor clients. In addition, an executive summary is\nposted on the NCUA website. The first 10 reviews performed were not distributed and not\nposted on the NCUA website, since they were not performed under the Examination Parity Act.\nThese reports were summarized as to their results via an NCUA Letter to Credit Unions.\n\nOther federal financial institution regulators have performed various EDP reviews which relate to\nY2K issues under direction of the Federal Financial Institutions Examination Council (FFIEC).\nThe federal member agencies, except NCUA, have performed these reviews. Most of these\nreviews, as they relate to credit unions, are of third party vendors (third party ISVs such as credit\ncard processors etc.) Agencies in charge (AIC) perform the reviews and write the reports. The\nFFIEC distributes the reports to member agencies, such as NCUA. NCUA reviews the reports\n\n\n                                                  1\n\x0c                                       Year 2000 Vendor Review\n\n\nand distributes the reports, if there is no distribution restriction, to NCUA regional offices, state\nsupervisory authorities and credit union vendor clients. As of October 13, 1999, 257 FFIEC\nreviews had been performed.\n\nThe NCUA, in addressing potential Y2K problems in FICU information systems, adopted\nmilestone dates for natural person and corporate unions to accomplish specific Y2K tasks. The\npurpose of the milestone dates was to ensure credit union information systems were ready to\nfunction in a timely manner. Benchmark milestone dates were developed to address awareness,\nassessment, renovation, validation/testing, and implementation phases. In early 1998, NCUA\nestablished a policy of providing waivers or extensions to the milestone dates. Waivers and\nextensions have been granted for individual credit unions and blanket waivers for some credit\nunions with common information system vendors. If credit union remediation efforts were not\nperformed in a timely manner in accordance with the milestone dates and waivers, the NCUA\ncould take administrative action against the credit union because of unsafe and unsound practices.\nThe milestone date for system renovation completion was January 31, 1999, for testing\ncompletion June 30, 1999, for substantially implementation July 31, 1999, and for final\nimplementation by September 30, 1999. No milestone dates had been established by NCUA for\nISVs. Through October 31, 1999, NCUA had approved blanket waivers on 13 vendors.\n\nBeginning in 1998, NCUA required all credit unions to file a calendar quarterly report with\nNCUA. These quarterly reports, essentially, provided the status of the credit union\xe2\x80\x99s critical\nsystems in the Y2K phases as reported by the credit union. These reports only listed the primary\nvendor. These quarterly reports were reviewed by the examiner in charge (NCUA or state),\nforwarded to the appropriate NCUA regional office for review and finally forwarded to the Office\nof Examination and Insurance (E&I) for review and database establishment. As of September 30,\n1999, all credit unions were 100 percent renovated, as reported by the credit unions. And 99.97\npercent of all federally insured credit unions were fully implemented, as reported by NCUA.\n\n\n\n     Objectives          Our objectives were: (a) to determine the Y2K status of credit union\n                         system vendors and (b) to determine what action NCUA was taking to\nensure that vendors are making satisfactory progress in providing renovated systems to its credit\nunion clients.\n\n\n Scope and Methodology            This review was of limited scope and was not performed under\n                                  yellow book audit standards. However, we did perform the\nfollowing review procedures in meeting our review objectives:\n\nNCUA Primary ISV reviews:\n\n\xe2\x80\xa2 Reviewed agency guidance regarding ISV vendor reviews\n\xe2\x80\xa2 Interviewed E&I staff regarding vendor review processes, procedures and results\n\xe2\x80\xa2 Reviewed a non-statistical judgmental sample of vendor review reports and executive\n  summaries\n\n\n                                                   2\n\x0c                                     Year 2000 Vendor Review\n\n\n\xe2\x80\xa2 Reviewed postings per NCUA website for vendor reviews\n\nFFIEC ISV reviews:\n\n\xe2\x80\xa2   Reviewed NCUA guidance regarding vendor reviews\n\xe2\x80\xa2   Interviewed E&I staff regarding NCUA review processes, procedures and results\n\xe2\x80\xa2   Scanned listing of FFIEC reports for noted problem issues\n\xe2\x80\xa2   Inquired of E&I staff regarding noted FFIEC reports which resulted in unsatisfactory or needs\n    improvement ratings\n\nNCUA Approved Blanket Waivers:\n\n\xe2\x80\xa2 Reviewed agency guidance regarding blanket waivers\n\xe2\x80\xa2 Interviewed E&I staff regarding blanket waiver processes, procedures and reasons for blanket\n  waiver issuance\n\xe2\x80\xa2 Reviewed blanket waiver documentation supporting the need for approval\n\nMarch 31, 1999 Credit Union Quarterly Reports:\n\n\xe2\x80\xa2 Obtained a listing of 100 percent of credit unions not fully renovated as of March 31, 1999\n\xe2\x80\xa2 Inquired of NCUA regions:\n         -Listing of systems not renovated (system type and vendor)\n         -Reason for non-renovation\n         -Action taken\n         -Current status\n\xe2\x80\xa2 Analyzed quarterly reports for trends among vendors and reasons for non-renovation\n\nSummary Analyses:\n\n\xe2\x80\xa2 Compared timing, action taken and status of:\n    -March 31, 1999 quarterly report of non-renovated systems\n    -NCUA vendor reviews\n    -FFIEC vendor reviews\n    -NCUA approved blanket waivers\n\n\n\n\n                                                3\n\x0c                                      Year 2000 Vendor Review\n\n\n\n\n                                    OBSERVATIONS\nNCUA has reported that substantially all federally insured credit union mission critical systems\nwere renovated by the NCUA testing milestone of June 30, 1999. All but 48 credit unions\nreported that they had met the July 31, 1999 substantially implemented milestone date.\n\nNCUA staff feel confident that the status of vendors is accurately reported due to the various\nprograms which were put in place by NCUA regarding ISV systems. These include:\n\n1.   NCUA conducted on-site primary vendor reviews\n2.   FFIEC vendor reviews\n3.   NCUA examiner and regional office reporting of vendor problems\n4.   Off-site contacts as needed for problem vendors\n5.   Issuance of blanket waivers\n6.   Credit union due diligence in testing vendor products\n\n\n\n                                   NCUA along with a nationally known contractor reviewed 46\n  NCUA Vendor Reviews              primary vendors accounting for approximately 86 percent of\ncredit union primary core systems. These reviews did not certify vendor Y2K compliance but did\ninclude a review of the vendors\xe2\x80\x99Y2K plans and processes. One review was performed in 1997,\n44 were performed in 1998 and one was performed in 1999. All 46 vendors reviewed were rated\nsatisfactory.\n\nWe were provided copies of 30 reports. At the time of NCUA\xe2\x80\x99s review, four of those vendors\nwere in the renovation stage, eight in testing and 18 were in the implementation stage or\ncompleted implementation. The first 10 reviews indicated that all ten were in the renovation\nprocess at the time of NCUA\xe2\x80\x99s review. We reviewed 19 vendor reports. Although all reports\nlisted some considerations for vendors, 17 of those were not major concerns. We noted two\nvendors which were only single person operations and had no formal testing plans. We\nconsidered these to be major concerns. According to E&I, no follow-up vendor reviews have\nbeen performed to date.\n\nAs of September 1999, the NCUA website had 20 executive summaries of reports listed and\nreferred the first 10 summary results to a distributed NCUA Letter to Credit Unions. This leaves\n16 vendor review results unposted at a time when substantially all credit unions are reported to be\nsubstantially implemented. This was due primarily to delays between E&I review of the reports\nand receipt of vendor comments on the draft reports.\n\n\n\n\n                                                 4\n\x0c                                      Year 2000 Vendor Review\n\n\n\n\n  FFIEC Vendor Reviews             We reviewed a listing of 158 FFIEC vendor review reports.\n                                   We noted that four vendors had noted problems causing a\nformal agreement with FFIEC and/or needs improvement or unsatisfactory rating. With each one\nof these vendors, the AIC had conducted follow-up reviews. Two of these vendors are still under\nwritten agreements with FFIEC as of October 13, 1999.\n\nSince May 1999, the FFIEC has issued an additional 99 reports. E&I is still in the process of\ndistributing these reports.\n\n\n  NCUA Approved              NCUA approved a total of 13 blanket waivers. Seven of these\n                             waivers were approved retroactive to cover milestone dates that had\n  Blanket Waivers\n                             passed. NCUA approved these waivers to document action taken by\nthe agency.\n\nNCUA contacted vendors, who were covered by a blanket waiver, for information regarding the\ncause, status and plans on addressing the Y2K issue at hand. Nearly all of these waivers were due\nto testing concerns, in that test results were not available at NCUA milestone dates. However,\none corporate credit union caused a blanket waiver to be issued due to slow system renovation as\nit related to natural person credit unions. In this regard, the corporate credit union system was a\nvendor system for client natural person credit unions. National and regional staff contacted the\ncorporate and the system has since been renovated, tested and implemented.\n\nNCUA is able to determine how many credit unions are clients of particular vendors by reviewing\nNCUA database information. The FFIEC provided listings of credit union clients for the vendors\nwhich they reviewed. The listing of whether any particular vendor product is a critical system was\nto be determined by the credit union. However, no national analysis was performed regarding\nhow many or which credit unions should have or could be expected to apply for a waiver under\nthe blanket authority. E&I stated the regions are responsible for such analysis, however, at least\nfour regions do not maintain vendor client lists.\n\n   Credit Union             Our review of quarterly information reports for non-renovated\n                            systems did not identify any major trends of any vendor not being\n Quarterly Reports\n                            renovated. The substantial majority of non-renovated systems were\ndue to vendor system installation scheduling and system conversions.\n\nAs of March 31, 1999, there were 287 credit unions reported as not 100 percent renovated.\nHowever, as of September 30, 1999 all credit unions reported being 100 percent renovated.\n\n\n\n\n                                                5\n\x0c                                     Year 2000 Vendor Review\n\n\n\n\n                     MATTERS FOR CONSIDERATION\n\nSince NCUA has reported that 99.97 percent of all federally insured credit unions were fully\nimplemented as of September 30, 1999, we offer no substantial recommendations. However, we\nencourage the following:\n\n\xe2\x80\xa2 Continue to post NCUA vendor reports to the NCUA website and distribute appropriately.\n\xe2\x80\xa2 Continue to distribute FFIEC reports, as appropriate\n\xe2\x80\xa2 As new vendor problems arise, if any, promptly notify affected regions, state regulators and\n  client credit unions\n\n\n\n\n                                               6\n\x0c'